1. Purpose of this Page
This page contains a list of the technical and operational measures which are applicable as a standard. The actual measures taken depend on the Service and the location of processing concerned for reasons that not all measures are relevant for all Services and locations. Worldline Sweden AB guarantees it has for all Services and locations the necessary adequate technical and operational measures included in the list below following a Data Protection Impact Assessment. The measures are designed to:
- ensure the security and confidentiality of Personal Data;
- protect against any anticipated threats or hazards to the security and integrity of Personal Data;
- protect against any actual unauthorized processing, loss, use, disclosure or acquisition of or access to any Personal Data
The page also contains a list of subcontractors used by Worldline Sweden to deliver its services. Worldline Sweden ensures that all its subprocessors have provided adequate guarantees on the protection of personal data they process on our behalf.
Worldline Sweden commits to continuous monitoring the effectiveness of its information safeguards and to a yearly compliance audit by a Third Party to provide assurance on the measures and controls in place.
2. Technical And Organisational Measures
A. People, awareness and HR:
- All recruitments follow a screening process according to the principles of the Worldline Group background check policy;
- In each contract each employee has Non-Disclosure Agreements clauses;
- Code of Ethics awareness training (including a test) is a yearly obligation for all employees and is to be performed through a dedicated e-learning module;
- Group IT Acceptable Use policy or local version, are shared with all employees;
- Security policy statement signed by the Management is shared with all employees;
- Worldline staff is obliged on a yearly basis to follow the Worldline Data Protection policy, Information Security and Safety training (including a test);
- Regular awareness trainings on GDPR for all employees (in addition to Worldline Data Protection policy, Information Security and Safety training);
- Access to systems is provided on a ‘need to have basis’ taken into account segregation of duties;
- Regular internal security audits are conducted to verify the security practices.
B. Physical Security and paper records:
Compliance with the Group Worldline Physical and Environmental Security policy:
- Access control and visitor management systems implemented for all visitors/guests;
- Physical access reviews as per defined periodicity;
- Clean desk, clear screen and follow me printing, process implemented;
- Information, which includes paper documents, handled by the data importer is classified, labelled, protected and handled according to the Worldline information classification policy;
- Except with prior specific authorization, laptops and desktops are not taken off the site;
- CCTV surveillance to protect restricted areas;
- Fire alarm and fire-fighting systems implemented for employee safety;
- Fire evacuations drills are conducted at specified frequencies;
C. Remote end user device are protected:
The remote users are working with laptop and desktop on Worldline secured network maintained by Global IT for the Worldline Group. Following security measures are incorporated in addition:
- Encryption of the hard disk on company assigned laptops;
- 2 Factors Authentication (PKI / Alternative);
- Centrally managed and anti-virus protection;
- Management and monitoring of the software to control an authorized software installation;
- Vendor supplied updates are installed;
- All the laptops and desktops working on the Worldline Sweden projects follow a strong overwriting process before it is reassigned;
- Login ID and password controls are implemented to access information;
- Periodic access review is implemented;
- E-mails are automatically scanned by anti-virus and anti-spam software.
D. Remote Access Security
2-factor authentication is used in general for remote access to the critical Worldline target systems. If the source of the remote connection is a Worldline Sweden controlled system then device authentication based on a certificate on the device is implemented. If the source is not under Worldline control, it should connect to a virtual desktop system.
Any other set up of connections needs to be upfront approved by the security department.
E. Generic security measures are a.o.:
- Data is only stored in the EU Data Centers or in case of laptops encrypted on the local device;
- Termination of access connection in Demilitarized Zone;
- All connectivity up to the secured area (PCI zone) is encrypted;
- Access to PCI zone only possible via strong authentication via Worldline Sweden provided security client;
- Multiple layers of firewalls & intrusion detection need to be passed;
- Access managed according to Role Based Access Control principles.
F. Access control to Personal Data
Employees with access to private data can only access the data that are necessary for the purpose of the activities under their responsibility. Access authorisation is provided based on the ‘need to know’ and ‘need to access’ and is either role based or name based. Access logs are in place and the responsibility for access control is assigned.
Following measures are in place:
- Obligation for employees to comply with the applicable Worldline group and local security policies and data protection policies;
- Work instructions on handling private data;
- User (password) codes for access to Private Data;
- Differentiated access regulations (e. g. partial blocking);
- Access Logging and control;
- Controlled destruction of data media;
- Procedures for Checking compliance with procedures and work instructions are in place;
- Formalised Control frameworks and TPA to take care that not a single person can access, modify or use critical information assets without authorization or detection;
G. Security and confidentiality of personal data
Based on a risk assessment (and if required an additional DPIA) Worldline Sweden will ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the anonymization, pseudonymisation (e.g. tokenization) and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- ensure a logical separation between its own data, the data of its customers and suppliers
- setup a process to keep processed data accurate, reliable and up-to-date.
- Process registers according GDPR requirements
- Access log systems’ use with relevant for the purposes of being able to detect unauthorized access attempts
- Customer Data (including back-ups and archives) will only be stores for as long as it serves the purposes for which the data was collected unless there is a legal or contractual obligation to retain the data for a longer period of time.
H. Organization control
The Data Processor shall maintain its internal organization in a manner that meets the requirements of the applicable legislation and the Data controller requirements on data security. This shall be accomplished by:
- Internal data processing policies and procedures, guidelines, work instructions, process descriptions and regulations for programming, testing and release, insofar as they relate to the Personal Data transferred by the Controller;
- Implementing a Data Protection control framework that is audited on compliance on a yearly basis
- Having an emergency plan with procedures and allocation of responsibilities in place (backup contingency plan).
3. Used Sub-Contractors
Worldline Sweden uses the following sub-contractors to provide its services:
- ACI Worldwide Limited – ReD Shield Services
- Amazon Web Services, Inc.
- Equinix Sweden AB
- Precision Software Limited